[Elastic Security 8.x] Space-based RBAC does not restrict access to prebuilt detection rules in SIEM Rules UI #254300
Description
Describe the bug:
Space-based permissions in Elastic Security do not properly restrict access to built-in detection rules. Users granted access to the Security solution (e.g., analysts allowed to create or manage rules) can still view, enable, or disable all prebuilt detection rules, even when they should not have permission to manage those default rules.
Kibana/Elasticsearch Stack version:
8.6
Server OS version:
Redhat 8.9
Browser and Browser OS versions:
Chrome, Edge
Elastic Endpoint version:
8.4
Steps to reproduce:
- Create a Kibana role scoped to a specific space with Security feature access that allows rule creation/management (analyst-level permissions).
- Assign the role to a user.
- Log in as that user and navigate to Security → Rules (Detection rules).
- Observe visibility and control over prebuilt (Elastic) detection rules.
Current behavior:
The user can see all prebuilt detection rules and can enable, disable, or modify them, even though their role is intended to restrict them to working only with custom rules in their assigned space.
Expected behavior:
RBAC should support clear separation between custom and prebuilt detection rules. Analysts should be able to create and manage their own rules without visibility or control over Elastic prebuilt rules, like enabling it for example i think may be they should be able to duplicate it i guess if they want to use it as a baseline.. and administrators should be able to configure whether prebuilt rules are visible or manageable within a given space according to specific permissions or RBAC policy.